Zoom (software)

Zoom (stylized as all lowercase) is a proprietary videotelephony software program developed by Zoom Video Communications. The free plan allows up to 100 concurrent participants, with a 40-minute time restriction. Users have the option to upgrade by subscribing to a paid plan, the highest of which supports up to 1,000 concurrent participants for meetings lasting up to 30 hours.

History
A beta version of Zoom that could host conferences with only up to 15 video participants was launched on August 21, 2012. On January 25, 2013, version 1.0 of the program was released with an increase in the number of participants per conference to 25. By the end of its first month, Zoom had 400,000 users. By 2013, Zoom had more than one million users. After the start of the COVID-19 pandemic, by February 2020, Zoom had gained 2.22 million users in 2020 – more users than it amassed in the entirety of 2019. In March 2020, the Zoom app was downloaded 2.13 million times.

During the COVID-19 pandemic, there was a major increase in the use of Zoom for remote work, distance education, and online social relations. Zoom was one of the most downloaded mobile apps worldwide in 2020 with over 500 million downloads.

As of April 2020, Zoom had more than 300 million daily meeting participants (calculated as the number of times someone joins a meeting, which can happen multiple times per day).

Features
Zoom One has six tiers: Basic, Pro, Business, Business Plus, Enterprise, and Enterprise Plus. Zoom is compatible with Windows, macOS, iOS, Android, ChromeOS, and Linux. It is noted for its simple interface and usability, regardless of technological expertise. Features include one-on-one meetings, group video conferences, screen sharing, plugins, browser extensions, and the ability to record meetings and have them automatically transcribed. On some computers and operating systems, users are able to select a virtual background, which can be downloaded from different sites, to use as a backdrop behind themselves.

Use of the platform is free for video conferences of up to 100 participants at once, with a 40-minute time limit. There is a 10-minute timeout period between free 40-minute meetings. For longer or larger conferences with more features, paid subscriptions are available. Features geared towards business conferences, such as Zoom Rooms, are also available. Up to 49 people can be seen on a desktop or laptop screen at once, up to 4 people per screen in iPhone and Android mobile phones and tablet computers, and up to 16 people per screen on iPad.

Zoom security features include password-protected meetings, user authentication, waiting rooms, locked meetings, disabling participant screen sharing, randomly generated IDs, and the ability for the host to remove disruptive attendees. As of June 2020, Zoom began offering end-to-end encryption to business and enterprise users, with AES 256 GCM encryption enabled for all users. In October 2020, Zoom added end-to-end encryption for free and paid users. It is available on all platforms, except for the official Zoom web client.

Zoom also offers a transcription service using Otter.ai software that allows businesses to store transcriptions of the Zoom meetings online and search them, including separating and labeling different speakers.

In July 2020, Zoom Rooms and Zoom Phone became available as hardware as a service products. As of July 2022, Zoom Phone is available for domestic telephone service in 47 countries, and the company has sold 3 million seats for the service. Zoom for Home, a category of products designed for home use, became available in August 2020. Zoom Phone Provider Exchange, which gives customers options for voice services, reaches more than 70 countries. In July 2022, an option was added on Zoom Phone to turn on end-to-end encryption during one-on-one calls between users on the same company account.

In September 2020, Zoom added new accessibility features to make the app easier to use for those who are deaf, hard of hearing, or visually impaired. New features include the ability to move around video windows in gallery view, pin video windows to be spotlighted; improved keyboard shortcuts; new tools to adjust the size of closed captioning text; and sign language interpreters' windows can now sit directly next to the speaker.

In October 2020 at Zoomtopia, Zoom's annual user conference, the company unveiled OnZoom, a virtual event marketplace with an integrated payment system where users can host and promote free or paid live events. With OnZoom, users will be able to schedule and host one-time events or event series for up to 1,000 attendees and sell tickets online. The company also announced Zoom Apps, a feature integrating third-party apps so they can be used within the Zoom interface during meetings. The first such apps were expected to be available around the end of 2020, from companies including Slack, Salesforce, Dropbox, and Qatalog. In October 2020, Zoom gave its users better security with an upgrade to end-to-end encryption for its online meetings network.

Also in October 2020, Zoom signed a carrier agreement with Global BT Business to offer a fully managed Zoom Meetings service featuring a choice of connectivity and integration with its global voice network.

In February 2021, Zoom added a "virtual receptionist" feature in the Kiosk Mode for Zoom Rooms. Created for in-person visitors to a business to interact in the lobby without physical contact.

On March 22, 2021, Zoom announced that it would start selling its videoconferencing technology as a white-label product, so other companies can embed it in their own products, with the calls running over Zoom but not carrying the company's brand name.

In July 2021, Zoom released Zoom Apps which integrated a marketplace of third-party applications such as Dropbox Spaces, Asana, and SurveyMonkey.

In August 2021, Zoom launched Focus Mode, designed for use in educational settings. When active, the mode will hide participants' screens from each other (though they can see each other's names) while the host retains the ability to see everyone's camera stream or screen share. The feature is available across all Zoom accounts, including free ones.

In September 2021 at Zoomtopia, the company announced that end-to-end encryption would now be available as an upgrade for Zoom Phone users. The company also announced Bring Your Own Key (BYOK) (for users to manage their own encryption keys that Zoom cannot access or see), Verified Identity (a multi-factor authentication feature working through Okta that allows users to confirm the identity of meeting participants), and Video Engagement Center (for businesses to digitally interact with customers). Other updates include revamped virtual whiteboard features, including touchscreen whiteboards that can be digitized for remote participants, and improved collaboration between Zoom Meetings and Zoom Chat.

In October 2021, the option to automatically generate closed captions in English for Zoom meetings was expanded to all accounts, including free ones. The feature had previously only been available for Premium users.

In April 2022, Zoom added features including gesture recognition, a virtual whiteboard, and Zoom IQ for sales. In February 2022, the company launched Zoom Contact Center, a cloud contact center optimized for video calls and integrated directly into Zoom.

In June 2022, Zoom One, which brings together chat, phone, whiteboard, and video conferencing capabilities into a single offering, was launched. Also in June 2022, Zoom opened its Zoom Apps developer program to all developers, via Zoom Apps SDK. With the release of Zoom One, the company offers video conferencing translation and captioning for 11 languages: English, simplified Chinese, Dutch, French, German, Italian, Japanese, Korean, Russian, Spanish, and Ukrainian. This feature is available with the Business Plus and Enterprise Plus plans.

Usage
Zoom is used by a variety of individuals and private and public organizations, including banks, schools, universities, healthcare providers, and government agencies,   and for ceremonies such as birthday parties, funeral services, and bar and bat mitzvah services. In 2020, Zoom formed a partnership with Formula One to create a virtual club where fans can go behind the scenes and take part in virtual activities through Zoom, beginning with the Hungarian Grand Prix. An article published in July 2020 in the San Francisco Chronicle noted a new real estate trend in San Francisco and Oakland where some listings include "Zoom rooms" with backdrops for Zoom calls.

Richard Nelson's play What Do We Need to Talk About? takes place on Zoom, with its main characters congregating online during the COVID-19 pandemic using the platform. Written and directed by Nelson, it was commissioned by The Public Theater and premiered on YouTube on April 29, 2020, as a benefit performance. The New Yorker called it "the first great original play of quarantine". Oprah's Your Life in Focus: A Vision Forward was a live virtual experience hosted by Oprah Winfrey on Zoom from May 16 through June 6, 2020. In Source Material's 2020 play, In These Uncertain Times, directed by Samantha Shay, characters communicate on Zoom. The British found-footage horror film Host, directed by Rob Savage, features a group of young people attempting to contact spirits through a remote séance on Zoom, and premiered on Shudder in July 2020. A live reading of Kristoffer Diaz's 2009 play The Elaborate Entrance of Chad Deity over Zoom streamed on Play-PerView from August 15t to August 20, 2020. In the 2021 film Locked Down, directed by Doug Liman and starring Anne Hathaway and Chiwetel Ejiofor, characters communicate through Zoom conferences.

From July 3 to 4, 2020, the International Association of Constitutional Law and Alma Mater Europaea used Zoom Webinar to conduct the first "round-the-clock and round-the-globe" event, featuring 52 speakers from 28 countries and several time zones. Soon after, a format of conferences that "virtually travel the globe with the sun from East to West", became common, some of them running for several days.

On September 17, 2020, a live table read of the script for the 1982 film Fast Times at Ridgemont High was hosted by Dane Cook, with performers including Brad Pitt, Jennifer Aniston, Julia Roberts, original cast member Sean Penn, Matthew McConaughey, Shia LaBeouf, Morgan Freeman (who served as the narrator), Jimmy Kimmel, Ray Liotta, and John Legend, to raise money for the charity CORE. The broadcast of the 72nd Primetime Emmy Awards on September 20, 2020, hosted by Jimmy Kimmel, featured nominees participating through Zoom. On an alternate music video for the 2020 single "Ice Cream" by Blackpink featuring Selena Gomez, the artists appeared via Zoom from their homes. The series Zoom Where It Happens, airing on Zoom as a partnership between Zoom and Black female artists, launched in September 2020 with a virtual table read of an episode of The Golden Girls, reimagined with an all-Black cast. The second episode featured an all-Black cast in a table read of an episode of Friends, hosted by Gabrielle Union and featuring Sterling K. Brown and Uzo Aduba. Familiarity with Zoom meetings in nation-state diplomatic and bureaucratic circles, partially due to the global COVID-19 pandemic, substantially contributed to the efficacy of the Western response to the 2022 Russian invasion of Ukraine

Reception
Zoom has been criticized for "security lapses and poor design choices" that have resulted in heightened scrutiny of its software. Many of Zoom's issues "surround deliberate features designed to reduce friction in meetings", which Citizen Lab found to "also, by design, reduce privacy or security". In March 2020, New York State Attorney General Letitia James launched an inquiry into Zoom's privacy and security practices. The inquiry was closed on May 7, 2020, with Zoom not admitting wrongdoing, but agreeing to take added security measures. In April 2020, CEO Yuan apologized for the security issues, stating that some of the issues were a result of Zoom's having been designed for "large institutions with full IT support". He noted that in December 2019, Zoom had a maximum of 10 million daily meeting participants, and in March 2020 the software had more than 200 million daily meeting participants, bringing the company increased challenges. Zoom agreed to focus on data privacy and issue a transparency report. In April 2020, the company released Zoom version 5.0, which addressed a number of the security and privacy concerns. It includes passwords by default, improved encryption, and a new security icon for meetings. In September 2020, Zoom added support for two-factor authentication to its desktop and mobile apps; the security feature was previously Web-only.

As of April 2020, businesses, schools, and government entities who have restricted or prohibited the use of Zoom on their networks include Google, Siemens, the Australian Defence Force, the German Ministry of Foreign Affairs, the Indian Ministry of Home Affairs, SpaceX, and the New York City Department of Education. In May 2020, the New York City Department of Education lifted their ban on Zoom after the company addressed security and privacy concerns.

Privacy
Zoom has been criticized for its privacy and corporate data sharing policies, as well as for enabling video hosts to potentially violate the privacy of those participating in their calls.

In March 2020, a Motherboard article found that the company's iOS app was sending device analytics data to Facebook on startup, regardless of whether a Facebook account was being used with the service, and without disclosing it to the user. Zoom responded that it had been made aware of the issue and patched the app to remove the SDK after learning that it was collecting unnecessary device data. The company stated that the SDK was only collecting information on the user's device specifications (such as model names and operating system versions) in order to optimize its service and that it was not collecting personal information. In the same month, Zoom was sued by a user in U.S. Federal Court for illegally and secretly disclosing personal data to third parties, including Facebook. Zoom responded that it "has never sold user data in the past and has no intention of selling users' data going forward".

In April 2020, a Zoom information gathering feature was found that automatically sent user names and email addresses to LinkedIn, allowing some participants to surreptitiously access LinkedIn profile data about other users without their express consent. Soon after, the companies disabled their integration. In May 2020, the Federal Trade Commission announced that it was looking into Zoom's privacy practices. The FTC alleged in a complaint that since at least 2016, "Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers' meetings, did not provide advertised end-to-end encryption, falsely claimed HIPAA compliance, installed the ZoomOpener webserver without adequate consent, did not uninstall the web server after uninstalling the Zoom App, and secured its Zoom Meetings with a lower level of encryption than promised." On November 9, 2020, a settlement was reached, requiring the company to stop misrepresenting security features, create an information security program, obtain biannual assessments by a third party, and implement additional security measures.

Vulnerabilities
In November 2018, a security vulnerability was discovered that allowed a remote unauthenticated attacker to spoof UDP messages that allowed the attacker to remove attendees from meetings, spoof messages from users, or hijack shared screens. The company released fixes shortly after the vulnerability was discovered. In July 2019, security researcher Jonathan Leitschuh disclosed a zero-day vulnerability allowing any website to force a macOS user to join a Zoom call, with their video camera activated, without the user's permission. Attempts to uninstall the Zoom client on macOS would prompt the software to re-install automatically in the background using a hidden web server that was set up on the machine during the first installation so that it remains active even after attempting to remove the client. After receiving public criticism, Zoom removed the vulnerability and the hidden webserver to allow complete uninstallation. In April 2020, security researchers found vulnerabilities where Windows users' credentials could be exposed. Another vulnerability allowing unprompted access to cameras and microphones was made public. Zoom issued a fix in April 2020.

Motherboard reported that there were two Zoom zero-days for macOS and Windows respectively, selling for $500,000, on April 15, 2020. Security bug brokers were selling access to Zoom security flaws that could allow remote access into users' computers. Hackers also put up over 500,000 Zoom user names and passwords for sale on the dark web. In response to the multitude of security and privacy issues found, Zoom began a comprehensive security plan, which included consulting with Luta Security, Trail of Bits, former Facebook CSO Alex Stamos, former Google global lead of privacy technology Lea Kissner, BishopFox, the NCC Group, and Johns Hopkins University cryptographer Matthew D. Green.

On April 20, 2020, the New York Times reported that Dropbox engineers had traced Zoom's security vulnerabilities back over two years, pushing Zoom to address such issues more quickly, and paying top hackers to find problems with Zoom's software. In the same article, the New York Times noted that security researchers have praised Zoom for improving its response times, and for quickly patching recent bugs and removing features that could have privacy risks. In a blog post on April 1, 2020, CEO Yuan announced a 90-day freeze on releasing new features, to focus on fixing privacy and security issues within the platform. On July 1, 2020, at the end of the freeze, the company stated it had released 100 new safety features over the 90-day period. Those efforts include end-to-end encryption for all users, turning on meeting passwords by default, giving users the ability to choose which data centers calls are routed from, consulting with security experts, forming a CISO council, an improved bug bounty program, and working with third parties to help test security. Yuan also stated that Zoom would be sharing a transparency report later in 2020.

On November 16, 2020, Zoom announced a new security feature to combat disruptions during a session. The new feature was said to be a default for all free and paid users and made available on the Zoom clients for Mac, PC, and Linux, as well as Zoom mobile apps.

On August 12, 2022, Wired magazine reported on three separate security vulnerabilities discovered by security researcher Patrick Wardle affecting the Zoom Mac OS desktop app. The vulnerabilities allowed an attacker who already had access to the Mac device to perform a privilege escalation attack by installing malicious code using the app's auto-update feature, thereby giving them full control over the victim's device.

Zoombombing
"Zoombombing" is a phenomenon where uninvited participants join a meeting to cause disruption. In July 2019, security researcher Sam Jadali uncovered the DataSpii leak. This catastrophic leak was facilitated by a marketing intelligence company known as Nacho Analytics (NA), which provided its members access to the URLs of real-time Zoom meetings of firms such as Oracle, Dell, Walmart, Uber, UCLA and Capital One. NA's dissemination of meeting URLs enabled its members to Zoombomb these meetings. In April 2020, Zoom increased its default security settings to mitigate Zoombombing. The company also created a new "report a user to Zoom" button, intended to catch those behind Zoombombing attacks.

Encryption practices
Zoom encrypts its public data streams, using TLS 1.2 with AES-256 (Advanced Encryption Standard) to protect signaling, and AES-128 to protect streaming media. Security researchers and reporters have criticized the company for its lack of transparency and poor encryption practices. Zoom initially claimed to use "end-to-end encryption" in its marketing materials, but later clarified it meant "from Zoom end point to Zoom end point" (meaning effectively between Zoom servers and Zoom clients), which The Intercept described as misleading and "dishonest". Alex Stamos, a Zoom advisor who was formerly security chief at Facebook, noted that a lack of end-to-end encryption is common in such products, as it is also true of Google Hangouts, Microsoft Teams, and Cisco Webex. On May 7, 2020, Zoom announced that it had acquired Keybase, a company specializing in end-to-end encryption, as part of an effort to strengthen its security practices moving forward. Later that month, Zoom published a document for peer review, detailing its plans to ultimately bring end-to-end encryption to the software.

In April 2020, Citizen Lab researchers discovered that a single, server-generated AES-128 key is being shared between all participants in ECB mode, which is deprecated due to its pattern-preserving characteristics of the ciphertext. During test calls between participants in Canada and United States, the key was provisioned from servers located in mainland China where they are subject to the China Internet Security Law.

On June 3, 2020, Zoom announced that users on their free tier will not have access to end-to-end encryption so that they could cooperate with the FBI and law enforcement. Later, they said that they do not "proactively monitor meeting content". On June 17, 2020, the company reversed course and announced that free users would have access to end-to-end encryption after all.

On September 7, 2020, cryptography researcher Nadim Kobeissi accused Zoom's security team of failing to credit his open-source protocol analysis research software, Verifpal, with being instrumental during the design phase of Zoom's new encryption protocol, as described in their whitepaper published in June 2020. Kobeissi published a week's worth of conversations with Zoom's security leadership in support of his claim, including Max Krohn, which included eight Verifpal models that Zoom's team asked for feedback on, promises of a citation to credit Kobeissi for his contributions and an admission that the Verifpal citation was pulled from the whitepaper at the last moment for unspecified reasons. Kobeissi also linked to a tweet by Zoom security consultant Lea Kissner which he described as a public character assassination attempt issued in response to his repeated requests to have his work cited in the research paper published by Zoom.

Data routing
Zoom admitted that some calls in early April 2020 and prior were mistakenly routed through servers in mainland China, prompting some governments and businesses to cease their usage of Zoom. The company later announced that data of free users outside of China would "never be routed through China" and that paid subscribers will be able to customize which data center regions they want to use. The company has data centers in Europe, Asia, North America, and Latin America.

Regulatory issues
In August 2021, the Data Protection regulatory body in Hamburg, Germany, ruled that Zoom was operating in the European Union in breach of the General Data Protection Regulation (GDPR). This is due to the fact that, as per the Schrems II ruling, data that is being transferred out of the EU must be given the same protections that provided by the GDPR. The data gathered by Zoom was being sent to the United States.